Escape a string in SQL Server so that it is safe to use in LIKE expression

sql-server tsql stored-procedures sql-like

200,139

Solution 1

To escape special characters in a LIKE expression you prefix them with an escape character. You get to choose which escape char to use with the ESCAPE keyword. (MSDN Ref)

For example this escapes the % symbol, using \ as the escape char:

select * from table where myfield like '%15\% off%' ESCAPE '\'

If you don't know what characters will be in your string, and you don't want to treat them as wildcards, you can prefix all wildcard characters with an escape char, eg:

set @myString = replace( 
                replace( 
                replace( 
                replace( @myString
                ,    '\', '\\' )
                ,    '%', '\%' )
                ,    '_', '\_' )
                ,    '[', '\[' )

(Note that you have to escape your escape char too, and make sure that's the inner replace so you don't escape the ones added from the other replace statements). Then you can use something like this:

select * from table where myfield like '%' + @myString + '%' ESCAPE '\'

Also remember to allocate more space for your @myString variable as it will become longer with the string replacement.

Solution 2

Had a similar problem (using NHibernate, so the ESCAPE keyword would have been very difficult) and solved it using the bracket characters. So your sample would become

WHERE ... LIKE '%aa[%]bb%'

If you need proof:

create table test (field nvarchar(100))
go
insert test values ('abcdef%hijklm')
insert test values ('abcdefghijklm')
go
select * from test where field like 'abcdef[%]hijklm'
go

Solution 3

Rather than escaping all characters in a string that have particular significance in the pattern syntax given that you are using a leading wildcard in the pattern it is quicker and easier just to do.

SELECT * 
FROM YourTable
WHERE CHARINDEX(@myString , YourColumn) > 0

In cases where you are not using a leading wildcard the approach above should be avoided however as it cannot use an index on YourColumn.

Additionally in cases where the optimum execution plan will vary according to the number of matching rows the estimates may be better when using LIKE with the square bracket escaping syntax when compared to both CHARINDEX and the ESCAPE keyword.

Solution 4

You specify the escape character. Documentation here:
http://msdn.microsoft.com/en-us/library/ms179859.aspx

Solution 5

Do you want to look for strings that include an escape character? For instance you want this:

select * from table where myfield like '%10%%'.

Where you want to search for all fields with 10%? If that is the case then you may use the ESCAPE clause to specify an escape character and escape the wildcard character.

select * from table where myfield like '%10!%%' ESCAPE '!'

View more solutions

200,139

embedded.kyle

Adept engineering polymath with 15+ years of experience. Specializing in all areas of Embedded Systems from circuit design and board bring-up to firmware development, OS optimization, and end-user application programming. Proficient in utilizing a wide variety of programs and languages. An enthusiastic teacher and ambitious learner.

Updated on July 08, 2020

Comments

embedded.kyle almost 4 years
How do I escape a string in SQL Server's stored procedure so that it is safe to use in LIKE expression.

Suppose I have an NVARCHAR variable like so:
```
declare @myString NVARCHAR(100);
```
And I want to use it in a LIKE expression:
```
... WHERE ... LIKE '%' + @myString + '%';
```
How do I escape the string (more specifically, characters that are meaningful to LIKE pattern matching, e.g. % or ?) in T-SQL, so that it is safe to use in this manner?

For example, given:
```
@myString = 'aa%bb'
```
I want:
```
WHERE ... LIKE '%' + @somehowEscapedMyString + '%'
```
to match 'aa%bb', 'caa%bbc' but not 'aaxbb' or 'caaxbb'.
Admin over 15 years

I was wishing for something that already nows what needs to be escaped in a LIKE expression.
Goran over 15 years

The answer suggested you specify your own escape character so "meaningful " characters will not be meaningful anymore.
Admin over 15 years

I added an example of what I want to the question.
Jonathan Stark about 12 years

Excellent! But what if there was no leading wild card?
Martin Smith about 12 years

@Colin - If there was no leading wildcard and the aim was to escape all wild card characters elsewhere in the string then you could just use = instead. The escaping special characters answers could still be useful for a query looking for values starting with a particular value though as LIKE can use an index in that case but CHARINDEX can't.
LCJ over 11 years

Currently I am using approach mentioned in stackoverflow.com/questions/13861004/… Do you see any shortcomings with that code?
irag10 over 11 years

@Lijo, that's fine. That answer does the escaping in C# whereas the above answer does it in SQL as it's not C#-specific. Either way the result is the same: escape any special chars in your search string and use the ESCAPE keyword in your LIKE statement.
Ted Hopp almost 10 years

I think you also need to escape a single quote (replacing it with two single quotes, not with \').
irag10 almost 10 years

@TedHopp - no, you don't need to escape ' for the purposes of LIKE, because it's not a special character for LIKE. For example this works fine: declare @s nvarchar(max); set @s = '%''%'; with a_cte as ( select 'I''m adam' as aColumn ) select * from a_cte where aColumn like @s;
irag10 almost 10 years

@TedHopp - what you're probably referring to is just the need to use two ' in order to define a single quote in a string constant. Yes you need to do that, but the resulting string value only has a single quote: the escaping is done just to get the single quote into the string variable when declaring it as a constant value. You could select the ' from somewhere and wouldn't need to escape it.
irag10 almost 10 years

...In the case of LIKE special chars the string value actually contains the escape character. So if you print @myString from my answer you'll see values like 15\% off but if you print @s from my previous comment it will just look like %'%, i.e. just a single quote.
John about 7 years

This is the best answer. Doesn't rely on escape and works for all strings.
bitoolean over 6 years

I think this is the simplest and so closest to what the asker was looking for. Not to say that ESCAPE is not as useful in some cases.
binki about 6 years

Still there’s no explanation of how to reliably get a list of characters which need escaping or how to take an arbitrary string and properly escape it.